{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %}
{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %}
{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
{% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
{% set REDIS = salt['pillar.get']('redis:enabled', True) %}
{% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
{% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
{% set saltversion = saltversion.salt.minion.version %}

{# this is the list we are returning from this map file, it gets built below #}
{% set allowed_states= [] %}

{% if grains.saltversion | string == saltversion | string %}

  {% set allowed_states= salt['grains.filter_by']({
      'so-eval': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'manager',
          'nginx',
          'telegraf',
          'influxdb',
          'grafana',
          'soc',
          'kratos',
          'firewall',
          'idstools',
          'suricata.manager',
          'healthcheck',
          'pcap',
          'suricata',
          'utility',
          'schedule',
          'soctopus',
          'tcpreplay',
          'docker_clean',
          'learn'
          ],
      'so-heavynode': [
          'ssl',
          'nginx',
          'telegraf',
          'firewall',
          'pcap',
          'suricata',
          'healthcheck',
          'schedule',
          'tcpreplay',
          'docker_clean'
          ],
      'so-helixsensor': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'telegraf',
          'firewall',
          'idstools',
          'suricata.manager',
          'zeek',
          'redis',
          'elasticsearch',
          'logstash',
          'schedule',
          'tcpreplay',
          'docker_clean'
          ],
      'so-fleet': [
          'ssl',
          'nginx',
          'telegraf',
          'firewall',
          'mysql',
          'redis',
          'fleet',
          'fleet.install_package',
          'filebeat',
          'schedule',
          'docker_clean'
          ],
     'so-idh': [
          'ssl',
          'telegraf',
          'firewall',
          'fleet.install_package',
          'filebeat',
          'idh',
          'schedule',
          'docker_clean'
          ],
      'so-import': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'manager',
          'nginx',
          'soc',
          'kratos',
          'firewall',
          'idstools',
          'suricata.manager',
          'pcap',
          'utility',
          'suricata',
          'zeek',
          'schedule',
          'tcpreplay',
          'docker_clean',
          'learn'
          ],
      'so-manager': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'manager',
          'nginx',
          'telegraf',
          'influxdb',
          'grafana',
          'soc',
          'kratos',
          'firewall',
          'idstools',
          'suricata.manager',
          'utility',
          'schedule',
          'soctopus',
          'docker_clean',
          'learn'
          ],
      'so-managersearch': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'nginx',
          'telegraf',
          'influxdb',
          'grafana',
          'soc',
          'kratos',
          'firewall',
          'manager',
          'idstools',
          'suricata.manager',
          'utility',
          'schedule',
          'soctopus',
          'docker_clean',
          'learn'
          ],
      'so-node': [
          'ssl',
          'nginx',
          'telegraf',
          'firewall',
          'schedule',
          'docker_clean'
          ],
      'so-standalone': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'manager',
          'nginx',
          'telegraf',
          'influxdb',
          'grafana',
          'soc',
          'kratos',
          'firewall',
          'idstools',
          'suricata.manager',
          'pcap',
          'suricata',
          'healthcheck',
          'utility',
          'schedule',
          'soctopus',
          'tcpreplay',
          'docker_clean',
          'learn'
          ],
      'so-sensor': [
          'ssl',
          'telegraf',
          'firewall',
          'nginx',
          'pcap',
          'suricata',
          'healthcheck',
          'wazuh',
          'filebeat',
          'schedule',
          'tcpreplay',
          'docker_clean'
          ],
      'so-receiver': [
          'ssl',
          'telegraf',
          'firewall',
          'schedule',
          'docker_clean'
          ],
      'so-workstation': [
          ],
  }, grain='role') %}

  {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %}
    {% do allowed_states.append('filebeat') %}
  {% endif %}

  {% if ((FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
    {% do allowed_states.append('mysql') %}
  {% endif %}

  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('fleet.install_package') %}
  {% endif %}

  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %}
    {% do allowed_states.append('fleet') %}
  {% endif %}

  {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval'] %}
    {% do allowed_states.append('redis') %}
  {% endif %}

  {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
    {% do allowed_states.append('zeek') %}
  {%- endif %}

  {% if STRELKA and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
    {% do allowed_states.append('strelka') %}
  {% endif %}

  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver','so-idh']%}
    {% do allowed_states.append('wazuh') %}
  {% endif %}

  {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %}
    {% do allowed_states.append('elasticsearch') %}
  {% endif %}

  {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
    {% do allowed_states.append('elasticsearch.auth') %}
  {% endif %}

  {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
    {% do allowed_states.append('kibana') %}
    {% do allowed_states.append('kibana.secrets') %}
  {% endif %}

  {% if grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
    {% do allowed_states.append('curator') %}
  {% endif %}

  {% if ELASTALERT and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('elastalert') %}
  {% endif %}

  {% if (PLAYBOOK !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('playbook') %}
  {% endif %}

  {% if (PLAYBOOK !=0) and grains.role in ['so-eval'] %}
    {% do allowed_states.append('redis') %}
  {% endif %}

  {% if (FREQSERVER !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('freqserver') %}
  {% endif %}

  {% if (DOMAINSTATS !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('domainstats') %}
  {% endif %}

  {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('logstash') %}
  {% endif %}

  {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('redis') %}
  {% endif %}

  {% if grains.os == 'CentOS' %}
    {% if not ISAIRGAP %}
      {% do allowed_states.append('yum') %}
    {% endif %}
    {% do allowed_states.append('yum.packages') %}
  {% endif %}

  {# all nodes on the right salt version can run the following states #}
  {% do allowed_states.append('common') %}
  {% do allowed_states.append('patch.os.schedule') %}
  {% do allowed_states.append('motd') %}
  {% do allowed_states.append('salt.minion-check') %}
  {% do allowed_states.append('sensoroni') %}
  {% do allowed_states.append('salt.lasthighstate') %}

{% endif %}


{% if ISAIRGAP %}
  {% do allowed_states.append('airgap') %}
{% endif %}

{# all nodes can always run salt.minion state #}
{% do allowed_states.append('salt.minion') %}
